1

I've been round about the houses with this one for days, i've not found a solution yet that works. I haven't found a way to block the HTTP access to the management plane either, i had to give up and disable it completely.

In my show run:

ip access-list extended DENIED_SSH_ACCESS
 deny   tcp any host 192.168.1.2 eq 22
 permit ip any any

I've tried putting it in:

interface Dialer0 
 ip access-group DENIED-SSH-ACCESS in

this still allows ssh access from the wan into the router.

I've also tried putting it in:

GigabiteEthernet8 and also in interface Ethernet0.10, again doesn't block ssh access.

I'm not going to attempt to put it into VLAN1, as i'm pretty sure that's my internal network and that's going to lock me out.

How do i completely and totally turn off SSH access to the management plane from WAN on the Cisco 890?

I've been through the Managing Plane Protection cisco document, but the commands literally don't work. For instance the syntax Ethernet0/0 doesn't work, x/y syntax just doesn't seem to work at all on this router. i've tried Ethernet 0 0 i've tried Ethernet0/1-4 to specify ranges too.

The instructions just don't work on this router.

E.g. one recommendation i've seen is to allow access to the management plane via a specific interface, the Cisco recommendation is:

control-plane host
management-interface GigabitEthernet 0/1 allow ssh https

However when i run this, i get:

AtlasNet(config-cp-host)#management-interface GigabitEthernet 0/1 allow ssh https
                                                               ^
% Invalid input detected at '^' marker.

AtlasNet(config-cp-host)#

And if i try:

control-plane host
management-interface GigabitEthernet0 allow ssh https

Then my ssh connection going through GigabitEthernet0 freezes and i have to reboot the router, which makes no sense to me as GigabitEthernet0 should be the only interface unaffected by the command...

Does anyone know how to disable wan SSH access to the management plane?

Owl
  • 121
  • 6

1 Answers1

0

I think i've just got it (partially). In case this helps anyone also ripping their hair out over this.

So I had a vlan1 configured with:

!         
interface Vlan1
 description InternalNetwork
 ip address 192.168.1.2 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!

And essentially this was my internal network. I then decided to put:

control-plane host
 management-interface Vlan1 allow https ssh 
!

In other words i connected the management interface to the vlan1, rather than the ethernet port which always caused the connection to hang, and now i can connect to the router via ssh from LAN side, but i can't connect wan-side.

The https is still forwarded to the wan, i literally don't know why so i disabled it, using:

no control plane host
control-plane host
 management-interface Vlan1 allow ssh 
!

Which is the behaviour i want (or close enough).

Owl
  • 121
  • 6